diff --git a/rules/windows/process_creation/win_susp_disable_raccine.yml b/rules/windows/process_creation/win_susp_disable_raccine.yml
new file mode 100644
index 000000000..126cfd040
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_disable_raccine.yml
@@ -0,0 +1,33 @@
+title: Raccine Uninstall
+id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
+status: experimental
+description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. 
+references:
+    - https://github.com/Neo23x0/Raccine
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+author: Florian Roth 
+date: 2021/01/21
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains|all:
+            - 'taskkill '
+            - '/IM RaccineSettings.exe'        
+    selection2:
+        CommandLine|contains|all:
+            - 'reg.exe'
+            - 'delete'
+            - 'Raccine Tray'
+    selection3:
+        CommandLine|contains|all:
+            - 'schtasks'
+            - '/DELETE'
+            - 'Raccine Rules Updater'
+    condition: 1 of them
+falsepositives:
+    - Legitimate deinstallation by administrative staff
+level: high